Yeah, not great. OTOH I worked on an early EMV implementation almost 20 years ago now, and it was obvious even then that mag stripe was a huge security problem. I'm amazed we're still talking about mag stripes and issuing cards with them in 2020.
They should have been retired over a decade ago.
My guess is lobbying by insurance and reinsurance drove most of that conversation, because the only downside I've seen from chip & pin implementation is that you have to touch the terminal. Paywave and contactless are now mainstream, so this is a non-issue.
Chip and pin is also used for offline transactions. Never once in Europe have i signed/seen someone sign
Pin is verified on card,not over network.
It's not the terminal upgrade that's the barrier. At many businesses, if you upgrade the terminal you also have to replace the point-of-sale system. Then you have to integrate it with your existing backend sales system, fulfillment system, inventory system, and more. And you're lucky if all of that can then be integrated into your accounting system. Then you have to retrain all of the people who will ever touch any part of the entire process.
You see it as upgrading the terminal because that's all you see. But that is the very small tip of a very large iceberg.
You Americans need to stop whining and get on with it like the rest of the world has. I mean, honestly, most shops here are now moving on to accepting contactless payments, so you're two generations behind. Makes America look like backward yokels.
so 4% of the world hasn't done something ~15% of the world has done in a situation that isn't even relevant to at least 18% of the world.
Second is, is there a way to gain the safety of the chip and pin with online purchases. Currently I obscure my CC info by using PayPal where available and when in the real world I live by Apple pay. If I could disable access to my card by stripe for real world where Apple pay is not usable I would.
Yes, there's this 2FA thing where you're redirected to your bank's website and you have to enter the code they send to your phone. I've had this for ages and I'm surprised there are still places where it's not mainstream.
Magstripes tho? I remember using mine when I visited the US in 2016 and that's about the only time when I used it. It was weird too, because most terminals had the chip slot but cashiers insisted that you swipe. The most bizarre part is that sometimes the transaction went through with just the swipe — no PIN, nothing.
In the UK we have had "Verified by Visa" and "Mastercard 3D Secure" for many/most online transactions for a long time (12 years?)
It's effectively a form of 2FA, the transaction flow diverts to a bank portal where you authorise the transaction with a password, or a selection of digits from a passcode. This never goes near retailer systems.
It's not the same level.of assurance as EMV, but it is something, and any transactions that don't go via that system are more likely to be declined or flagged as fraud.
So, your bank opts in to the Verified by Visa scheme (they can't opt individual account holders out, or at least my otherwise very co-operative "good" bank said they can't when I asked years ago)
If an online retailer performs Authorisation the API they talk to will examine your card number and conclude it needs this extra check, so it tells them to forward your browser to an HTTPS site you've never heard of, in the arcot.com domain. I guess if you're a huge bank you've heard of Arcot, but consumers haven't. The site claims to be from your famous bank brand, but the domain name clearly isn't, anybody who has learned anything about phishing ought to run screaming.
The arcot.com HTTPS site looks at the transaction and if you've never done this before it (presumably always? but maybe if there's a fraud flag this doesn't happen?) registers you for the "Verified by Visa" service. You can pick "No, I'm busy right now, just let me buy stuff" and it will give you a few passes, but I believe eventually it's mandatory.
Signing up requires giving them some details about the card, and also effectively creating yet another secret password. (Because we all know secret passwords are great right?). There might be an option to pick a picture or text greeting so you'll "know it's them" although of course a sophisticated attacker could duplicate that part...
On subsequent visits you may be asked for that secret if you've created it. Or, it might give up asking and just say everything is fine before returning you to the original payment flow. My transactions are reassuringly boring so I am never asked for anything these days.
The whole thing looks like it was built by people who were impressed by IE6 and are planning to buy a 17" display soon. The cryptography would be impressive for the IE6 era and not so much today, it's TLS 1.2, it has some basic precautions, but it's scarcely Fort Knox, your GMail is better protected.
Practically all domestic online retailers here have used those over 10 years now, and AFAIK there is no opt-out (at least for regular bank-issued consumer VISA/MC cards).
Not sure how this would impact the usability of your card though, in case you do end up relying on the magstripe.
It would make sense to eliminate magstripes, to limit them to $40, to let people decide their own limit, or any number of other things - the trouble is that the incentives of the businesses, banks, and credit card companies are more to make every transaction a success and to blame the consumer when they're too successful.
: Yes, I recognize this is bad framing, the fault isn't with the victim nor really with the perpetrator but the incompetent designer of the lock.
Contactless already has transaction limits so clearly payment method-specific transaction limits do not create "unacceptable missed profit".
This isn't true with US payment cards, in my experience. I've charged over $1000 on a credit card multiple times while using contactless methods (both RFID and Apple Pay, specifically). I was also able to do the same with my (American) cards while in Europe.
This is because contactless card payments have no cardholder verification.
I am quite surprised if you can do that with your cards in Europe as the limit is usually enforced on/by the merchant, not the card.
The perpetrator isn't at fault?
You wouldn't leave your door unlocked at night because it's the burglar's responsibility to be a better citizen.
Also most (all?) card holders don't have a problem with the chip, they may be unable to remember a PIN, or unable to enter one, in which case the chip terminal requests a human witness them signing something or asks the retailer to accept just the chip. Americans using European terminals may not have a PIN either, their chips tell the terminal this user doesn't have a PIN, they may be asked to sign something instead.
Or, in the case of unmonitored "kiosks", the American is just left with a failed transaction. This was my experience with train ticket terminals in Italy and unattended petrol stations in the UK. Fortunately, in both cases, my secondary card has a PIN enabled. It was irritating that my primary card didn't offer a PIN, so I cancelled it upon my return to the US.
Edit - this was 5 years ago, may have changed since, not sure as I changed cards to one that explicitly offered chip/pin at the time.
Old school gas station attack: many gas stations queue and forward transactions for reconciliation in batches, waiting to do so when they don't have connectivity. People have taken advantage of this fact by climbing up on the roof of stations with satellite connections for their POS terminals, tin-foiling them or otherwise blocking their transmission, then buying a bunch of gas with a stolen credit card. Head down to the next gas station, lather rinse repeat, and by the time things get figured out you've got maybe a hundred gallons of gas and a bunch of candy bars you can trade for meth (this is not a Bond Villain-level crime).
That's irrelevant to this attack. Bad guys aren't obliged to use that terminal, and they're the ones relying on access to a mag-stripe reader.
However for that "old school" attack EMV could help if it was deployed. Because EMV cards have state, they can have arbitrary rules about how often they're willing to perform offline transactions and how much value for. So e.g. a card can decide it won't do more than five offline transactions or more than $100 of transactions without going online.
You're entirely correct with EMV. Additionally, more gas stations are moving away from the old satellite connections, and an m2m cellular card in a POS terminal is a lot harder to shut down (at least without the cashier noticing).
Here's how this goes (everything in this story actually happened in England years ago, but that's before a change this story says wasn't entirely effective in eradicating the fraud)
Sarah lives in England where they are getting EMV terminals everywhere. Her cousin Terry lives somewhere which doesn't yet have terminals everywhere. Let's say it's Belgium, although in fact it was not.
Sarah owns a dozen petrol stations (that's what they call gas stations in England) and there are shiny EMV terminals arriving. Terry sends over instructions and electronic kits. The terminals are hollow and the instructions explain how to open one without the "anti-tamper" mechanism noticing and add more electronics in the convenient space.
Sarah teaches all her staff how to use the new terminals. She of course doesn't mention they've been tampered with.
You go to a petrol station, fill up your car, and hand your card to the clerk. "We got new machines" says the clerk and hands the card back. You put your card in the machine, and enter your PIN. I guess this is more secure?
In Belgium, Terry receives the magnetic stripe details of your card, retrieved from the chip using a convenient "Hey what is your mag-stripe?" API and sent over by a mobile chip in that circuit Sarah fitted. Terry has a mag-stripe writer and turns a cheap plastic card into a good-enough clone of your bank card. He sells this card to street level criminals in Belgium for €100, Sarah will get £10 per card as her cut.
Those street-level Belgian crooks need mag-stripe terminals because their cards have no chip, but you not swiping made no difference.
Edited to add:
While we're here. This is a recurring security problem. Old insecure systems can ruin it for new secure systems.
Imagine you have a brand new, up-to-the-minute TLS 1.3 only website. You use a cert for www.example.com with a nice shiny Elliptic curve public key & the corresponding Elliptic curve private key is in an HSM at a protected site, no problems. What can go wrong? Unknown to you, some numb-nuts who was angry about the company choosing Slack set up an "experimental" IRC server doing SSLv3 on port 6667 of their laptop using a *.example.com wildcard RSA cert that's still valid until next month. Bad guys who get even fairly limited access to your network can attack that IRC server, which is running on a high port on some idiot's laptop computer in corporate, not the secure datacentre where the web server is, and use it to flawlessly impersonate www.example.com if they can get on-path. They know this trick can work as soon as they find the IRC server, no special insight is needed.
It's not obvious at all that you should leave it in - particularly when accustomed to the ubiquitous slide-in-and-out-fast kind.
This one tried to lock my card in, but when I reflexively yanked on it to pull it out, somehow it lost contact with the chip or something. What followed was a stuck card in this machine, and the machine stuck on "verifying"... no cancel buttons worked either. Eventually, after a long and disconcerting minute had passed, it finally released my card and told me to go inside for payment.
Definitely not user friendly in the slightest... and just an awful way to start your morning on your way to work.
Both the standard card data and the underlying magnetic fingerprint of the card is read, all in a single swipe. 
I guess it makes it "more /just as able to be authenticated as a genuine card" though.
To the best of my knowledge, I don't think anyone has been able to replicate a mag stripe's fingerprint on another card's mag stripe. However, this security measure has probably seen a few orders of magnitude less adversaries than EMV and RFID have.
You'd think with COVID-19, there'd be a rush to move to contactless payments.
Overkill.. Maybe? But it costs me nothing so I'll take the peice of mind.
It's not about your individual glove. It's the 300million-ish people using 10 disposable gloves a day.
>And the way you solve pollution and microplastics from items in the trash can is by making sure that trash from cans is handled appropriately. Not by having consumers reduce their trash by a few percent.
How can you handle the level of trash we have responsibly? what's the plan? You seem to know, so please share it with the world so we can save the planet.
Given that I only fill my car once every 14 days, and only use 1 single glove for the hand touching the handle, I'm not overly concerned about the generated waste. Even if every American did this during the pandemic it would be dwarfed by the number of gloves used by hospitals even before covid.
I certainly agree that plastic waste is a major issue, and I'll certainly re-evaluate my current method when we aren't mid pandemic, but I'm confident there's simpler ways to reduce plastic waste in more meaningful amounts. I'm pretty sure that I've removed more unnecessary packaging plastic from purchased goods in the past month then gloves I've personally used total this year (I dabble with stuff you want to wear gloves with).
FWIW, At least in MA, it's rare to see a gas pump older than 10 years -- I think due to both Federal and MA State UST laws that require fairly recent (e.g. 2019) minimum standards such as double walled, properly cathodized, leak detecting tanks along with subsidies for tank replacement that have resulted in pretty much every gas station around here being totally renovated in the past 5 years or so.
This is in Texas, for reference.
Go more places.
I know of a national restaurant chain and a regional coffee chain that are swipe only.
Also, Lowe's was swipe only the last time I was in there, but that was a several months ago.
As for the experience of using each, it seems to depend a lot on the machines. I did not like using chip and pin in Europe because it seemed to take longer and required more interactions. With the magstrip I pull the card out, swipe it, put it away. I'm never waiting for anything. Sometimes I'd have to swipe it twice, but that didn't happen too often to me. But it seems like different people have very different experiences with these things.
edit: this mostly applies to credit cards, which are much more common in the US than in Europe. But the lack of significant benefit for credit cards to use this technology could have resulted in momentum that slowed the adoptation of it for debit cards.
Europe was late to the credit card game, so when it finally got on board it had newer gear. The Americans already had their stuff in place and it worked.
Unlike computer nerds who will upgrade their computers just to feel current, businesses don't throw around money unless they have a very good reason.
Edit: so it's more about the willingness to require cost for upgrades then there being costs for upgrades, I thing.
A few years ago NFC terminals weren't really popular around here, but nowadays it's hard to find a terminal without the support. I think this applies for quite a few EU countries.
NFC technology is less secure, but every purchase above 25 EUR requires PIN verification, so there is a limit on how much can be stolen.
EDIT: Btw. they lifted that limit temporary to a much higher value (something >50€) so that less people have to touch the numpad when shopping (at least in/for larger grocery stores).
I deliberately own (special ordered from my bank) a card that has no contactless, and it's also the card my phone "is" so all contactless transactions with that card are through the phone, the bank never issued a contactless card so it's literally impossible that the card itself was used for a contactless transaction.
Using the phone this way allows me to walk around the supermarket, scanning product codes with the phone, then walk to the checkout, scan the "I'm done" code and hold the phone near the contactless checkout as payment. No human interaction, very little touching stuff, only need the phone which I'd carry anyway, no cards or cash.
I got contactless cards about 10ish years ago, then when those renewed, it was back to stripe (and embossed) only; then chip and stripe and embossed; then chip and stripe but mostly flat; now this year I'm getting chip and stripe and contactless and apparently only Amex is embossing for carbon copy imprinters.
They were pretty clear that gas pump readers were the biggest issue, as customers dislike centralized outdoor readers or having to go into the establishment, stand in line, and use their counter POS system.
Basically, credit cards can be very secure. But it also costs. Banks do simple cost/benefit decisions and may in many cases significantly lag behind in technology for various reasons. They get away with this because consumers have absolutely no idea how cards differ and what the options are.
Everyone pays the price of fraud and it's probably one major reason that explains high interchange fees in the US.
The EU caps the interchange fee, does that mean the networks exit the business because they can't make money? No. Does it mean they've eliminated fraud? No. But it does mean they can't pay Karen 5% "reward" so they don't. There aren't any cards like that in Europe. For everybody else it makes the system cheaper.
Yes, rewards cards are paid for with interchange fees, but that doesn’t mean that’s the only thing they pay for. Most people pay more interest than they earn in fees per year anyways shrug
We pay for fraud with increased transaction fees.
If the bank has calculated that extra fraud costs less than the price mitigating it with additional security measures, and it is the one bearing the cost either way, then power to them!
Even for me--someone who has multiple payment cards, primarily uses credit (instead of debit), a healthy savings account, and a flexible job--cleaning up from a stolen credit card number takes two or three hours at a minimum. For someone who does not have those things, particularly for people who primarily use debit cards, the impact is far worse.
If we swapped our cards to simply require a PIN that's validated by the chip on the card (so that in-person charges without the proper PIN cannot complete, even if the card is shimmed), that removes the bulk of in-person fraud attempts. But US banks are, largely, so fearful of customers switching away from them at even the slightest provocation, we don't get PINs. So I'm forced to ask what other "basic" measures (like 3D Secure for online transactions) we lack.
0 - I don't want to hear the rebuttal that "well, people should just use credit cards." There are a hundred different reasons why people don't use credit cards--don't qualify for one, have an objection to debt, past bad experience, and so on--and we cannot write off people who "only" use debit from security measures.
You could also make an argument that by continuing to allow this fraud to happen we're funding all kinds of nasty people. I'm not convinced the argument holds water since bad guys are often faster to move than the banks but it's worth noting.
In the few European countries I know, banks are very pro-active about card fraud and refund without asking questions if fraud happens anyway.
Nasty people will get funded anyway, but reducing fraud also reduces their income. The main drawback is that people have to use their PIN (and even that is getting rare thanks to contactless cards).
Do you have any tips/resources for how an interested consumer can become more informed (whether for personal or small business accounts)?
Would you be able to get this type of information you'd be able to get to through contacting support, if you know the right way to ask? Or would it be considered too sensitive for the bank to give out implementation details that easily?
Well if there's a time and a place to educate people, it's here and now. Your knowledge would be appreciated, TIA
Contactless magstripe (MSD) is a workaround that allows for a contactless payment, but really is just sending the same (insecure) track data through the backend software. Contactless EMV is the right way, but requires more sophisticated software.
So, from my point of view, it could certainly be improved (along the lines of what Apple Pay is doing with tokenisation: confidentiality is an issue), but there is no real reason to complain.
As long as fraudulent transactions are rare enough that the banks don’t drag their feet, it’s fine.
Is there a rating system?
Any way to inspect transactions to see the whatnots?
Knowing nothing, I've been doing as much as possible using Apple Pay, because IIRC they do some kind of token exchange, vs sending my digits across the wire.
: https://wallethub.com/credit-cards/chip-and-pin/ I discussed each of the cards noted here with the issuers, not one is actually chip+pin credit.
* Andrews FCU (Visa, one of the cards is also contactless) - Must ask for the "international travel" card, the default is chip-and-sign
* State Department FCU (Visa) - Must ask for the "international travel" card, the default is chip-and-sign
* Target REDcard Mastercard (you have to get the normal store card and hope to get swapped out to the Mastercard after a few months/years/epochs; you can't get the Mastercard from the first go)
I imagine the card networks just don’t want to spend money to change the infrastructure to support chip and pin because the merchant pays for most the losses in the US?
He literally didn't believe me when I said American cards still ask for signatures. By luck there was an American also riding in the cabin who piped up to verify my story and I was allowed to pay when I reached my destination.
In Australia the same card works with contactless payment, which never asks for a signature, up to AU$100. But as soon as I go over that limit it's a card dip + signature.
With EMV, someone can still use your card after they steal it. With chip and pin, that is far more difficult. I don’t know if merchant off the hook even with just chip, I presume the card networks kept some weasel language in order to allow them to blame the merchant.
What is the difference between Chip and PIN versus Chip and Signature?
Chip and PIN is the most secure type of credit card technology. Instead of a signature being used for identity verification, it requires you to enter a four-digit Personal Identification Number (PIN) that must correspond to information contained in a computer chip embedded within the card. The Chip and PIN authentication method has been a global standard across Europe and Asia for many years which means using your card while traveling overseas will be even more convenient. Authorizing your transactions with a PIN is not new to debit card transactions, but is a new way to authorize payments with a credit card.
You may occasionally still be asked to sign for transactions while using your chip card. Please be assured that while these transactions are still secure, many merchants do not yet support chip and PIN so you may encounter this from time to time. First Tech is committed to ensuring chip and PIN technology is available wherever merchants accept it. Learn more at firsttechfed.com/mastercard.
This article says there's a few, ymmv
(Source: I have one, and the only time I've entered the PIN is at a British train ticket machine.)
That should not work because banks are supposed to look for the iCVV only on dipped transactions, and look for the CVV on swiped transactions (and the CSC for online/telephone transactions).
Some banks apparently left out the logic of matching the type of code to the transaction method, and so using iCVV in place of CVV works for them.
Even if all banks got this right, though, it seems to me you could still get fraud. The CVV is only three digits. Once you've got the card number just make a stripe card and guess the CVV. If it fails, try another CVV. As long as you don't do too many guesses too close together and cause the bank to lock out the card, you should eventually find the right CVV.
Even if the bank is very trigger happy on fraud lockouts, if your skimmers got several thousand card numbers you are going to have many CVV guesses turn out to be right the first time.
Instead of the stripe on cards that have both EMV and stripe being just a copy of the same card that is in the EMV side of things, shouldn't they be separate? The issuing bank should issue two logical cards for the underlying account, with one being EMV only and one being stripe/online only.
What really needs to be done is letting go of the magnetic stripe.
Going back to the store a few days later and the same machine will work, I wonder how often the machine's readers are cleaned.
At this point I've just given up and insert the card three times before being forced to use the mag strip. I don't even know what else to do...
Apple Cards have just the name on them, which is a nice step in the right direction. (No contactless, though, which is weird.)
(semi serious here - I'm sure they want you to use Apple Pay)
Both are more secure than using the card directly with contactless - you have verified to your phone that it is you using it, by logging in with face ID, touch ID, passcode, PIN, whatever. It's a form of cardholder verification that is missing when you use the card.
That was my (slightly snarky) point - you don't need contactless on the card when you have a smart device that does it better.
And the embossed cards tend to have their ink rub off anyway.
It's been pretty standard for over ten years...
(I'm in the UK, I have no idea how our market compares to yours)
It's unheard of in the US.
I can't use my bank card without mutual validation, same with my credit card. Even if you do it manually we still get a challenge-response that you use a hardware device or an app for.
I don’t know about other countries, but this is basically the premise of QRIS Technology  used in Indonesia, basically to put an end on competing in QR-based payment method.
I also wouldn't want my ability to pay to be tied to my phone. Not only do I want to be able to pay for things even when my phone is dead, but it just seems like it would add yet another vector of attack to steal my money.
> Wouldn't work in a lot of places where there's no LTE reception,
I happened to read about this recently (https://www.emvco.com/emv-technologies/qrcodes/), since it's going to be the base of Brazil's new instant payment system to be released later this year (PIX - https://www.bcb.gov.br/estabilidadefinanceira/forumpagamento...).
From what I understood, it does have a way to do offline transactions. There are two kinds of QR codes: one which is scanned by the app and used for both online and offline transactions, and a second kind used when offline which is presented by the app and scanned by the POS. This second QR code contains data similar to what a chip card would return to the reader during an offline transaction, so the transaction flow after that point is similar.
Since the verification can be done on the client side entirely it's subject to hacking. You can freeze the chip, slowing it down so you can actually see it run under a microscope. You can make it read-only (so the pin miss is not recorded on the chip, aso aso).
There are recorded cases where the card also held a digital wallet and students made it read only so they had an infinite wallet for small expenses ...
"Codes written on the track with equivalent data stored on the chip to prevent fraud. All chip cards are issued with the card security code on the track data stored on the magnetic stripe and chip card security code stored on the chip. Calculated with the same DES key but with a ‘999’ service code"